From e73e1e0f217af458189b67f24acde629deef8815 Mon Sep 17 00:00:00 2001 From: niansa Date: Wed, 18 Jan 2023 23:16:10 +0100 Subject: [PATCH] Further improved admin impersonation --- modules/AdminImpersonate.hpp | 57 +++++++++++++++++++++++++++++------- modules/LibInherit.hpp | 12 ++++---- modules/PolicyDisable.hpp | 4 +-- modules/RemoteLockBreak.hpp | 10 +++---- 4 files changed, 60 insertions(+), 23 deletions(-) diff --git a/modules/AdminImpersonate.hpp b/modules/AdminImpersonate.hpp index 7a32ca3..6d93e1d 100644 --- a/modules/AdminImpersonate.hpp +++ b/modules/AdminImpersonate.hpp @@ -14,6 +14,9 @@ class AdminImpersonate : public ModuleBase { inline static decltype(&CheckTokenMembership) TrueCheckTokenMembership; inline static decltype(&NtOpenFile) TrueNtOpenFile; inline static decltype(&NtCreateFile) TrueNtCreateFile; + inline static decltype(&NtAccessCheck) TrueNtAccessCheck; + inline static decltype(&NtAccessCheckAndAuditAlarm) TrueNtAccessCheckAndAuditAlarm; + inline static decltype(&NtPrivilegeCheck) TrueNtPrivilegeCheck; static BOOL __stdcall DetourIsUserAnAdmin() { @@ -22,7 +25,7 @@ class AdminImpersonate : public ModuleBase { static BOOL APIENTRY DetourCheckTokenMembership(_In_opt_ HANDLE TokenHandle, - _In_ PSID SidToCheck, _Out_ PBOOL IsMember) { + _In_ PSID SidToCheck, _Out_ PBOOL IsMember) { // fetch and allocate the local admin structure static SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; static PSID LocalAdministratorsGroup = NULL; @@ -44,8 +47,8 @@ class AdminImpersonate : public ModuleBase { static NTSTATUS NTAPI DetourNtOpenFile(OUT PHANDLE FileHandle, - IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, - IN ULONG ShareAccess, IN ULONG OpenOptions) { + IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, IN ULONG OpenOptions) { DWORD iStatus = TrueNtOpenFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); @@ -58,9 +61,9 @@ class AdminImpersonate : public ModuleBase { static NTSTATUS NTAPI DetourNtCreateFile(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, - IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, - IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, - IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) { + IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, + IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) { NTSTATUS iStatus = TrueNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); @@ -71,21 +74,55 @@ class AdminImpersonate : public ModuleBase { return iStatus; } + static + NTSTATUS NTAPI DetourNtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, IN HANDLE Handle, IN ACCESS_MASK AccessMask, + IN PGENERIC_MAPPING pGenericMapping, IN PPRIVILEGE_SET PrivilegeSet, PULONG Unk1, PULONG Unk2, OUT NTSTATUS* Result) { + TrueNtAccessCheck(SecurityDescriptor, Handle, AccessMask, pGenericMapping, PrivilegeSet, Unk1, Unk2, Result); + *Result = STATUS_SUCCESS; + return STATUS_SUCCESS; + } + static + NTSTATUS NTAPI DetourNtAccessCheckAndAuditAlarm(PUNICODE_STRING A, HANDLE B, PUNICODE_STRING C, PUNICODE_STRING D, PSECURITY_DESCRIPTOR E, ACCESS_MASK F, + PGENERIC_MAPPING G, BOOLEAN H, PACCESS_MASK I , PBOOLEAN J, PBOOLEAN K) { + auto res = MessageBoxA(nullptr, "Unsupported method called.", "Policy Tool Warning", MB_CANCELTRYCONTINUE); + switch (res) { + case IDCANCEL: return STATUS_NOT_IMPLEMENTED; + case IDTRYAGAIN: return STATUS_SUCCESS; + case IDCONTINUE: return TrueNtAccessCheckAndAuditAlarm(A, B, C, D, E, F, G, H, I, J, K); + default: abort(); + } + } + + static + NTSTATUS NTAPI DetourNtPrivilegeCheck(IN HANDLE, PRIVILEGE_SET, OUT PBOOLEAN Result) { + *Result = TRUE; + return STATUS_SUCCESS; + } + public: AdminImpersonate() { TrueIsUserAnAdmin = IsUserAnAdmin; TrueCheckTokenMembership = CheckTokenMembership; TrueNtOpenFile = reinterpret_cast(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtOpenFile")); TrueNtCreateFile = reinterpret_cast(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtCreateFile")); + TrueNtAccessCheck = reinterpret_cast(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtAccessCheck")); + TrueNtAccessCheckAndAuditAlarm = reinterpret_cast(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtAccessCheckAndAuditAlarm")); + TrueNtPrivilegeCheck = reinterpret_cast(GetProcAddress(LoadLibraryW(L"ntdll.dll"), "NtPrivilegeCheck")); DetourAttach(&reinterpret_cast(TrueNtOpenFile), reinterpret_cast(DetourNtOpenFile)); DetourAttach(&reinterpret_cast(TrueNtCreateFile), reinterpret_cast(DetourNtCreateFile)); - DetourAttach(&reinterpret_cast(TrueIsUserAnAdmin), reinterpret_cast(IsUserAnAdmin)); - DetourAttach(&reinterpret_cast(TrueCheckTokenMembership), reinterpret_cast(CheckTokenMembership)); + DetourAttach(&reinterpret_cast(TrueIsUserAnAdmin), reinterpret_cast(DetourIsUserAnAdmin)); + DetourAttach(&reinterpret_cast(TrueCheckTokenMembership), reinterpret_cast(DetourCheckTokenMembership)); + DetourAttach(&reinterpret_cast(TrueNtAccessCheck), reinterpret_cast(DetourNtAccessCheck)); + DetourAttach(&reinterpret_cast(TrueNtAccessCheckAndAuditAlarm), reinterpret_cast(DetourNtAccessCheckAndAuditAlarm)); + DetourAttach(&reinterpret_cast(TrueNtPrivilegeCheck), reinterpret_cast(DetourNtPrivilegeCheck)); } ~AdminImpersonate() { DetourDetach(&reinterpret_cast(TrueNtOpenFile), reinterpret_cast(DetourNtOpenFile)); DetourDetach(&reinterpret_cast(TrueNtCreateFile), reinterpret_cast(DetourNtCreateFile)); - DetourDetach(&reinterpret_cast(TrueIsUserAnAdmin), reinterpret_cast(IsUserAnAdmin)); - DetourDetach(&reinterpret_cast(TrueCheckTokenMembership), reinterpret_cast(CheckTokenMembership)); + DetourDetach(&reinterpret_cast(TrueIsUserAnAdmin), reinterpret_cast(DetourIsUserAnAdmin)); + DetourDetach(&reinterpret_cast(TrueCheckTokenMembership), reinterpret_cast(DetourCheckTokenMembership)); + DetourDetach(&reinterpret_cast(TrueNtAccessCheck), reinterpret_cast(DetourNtAccessCheck)); + DetourDetach(&reinterpret_cast(TrueNtAccessCheckAndAuditAlarm), reinterpret_cast(DetourNtAccessCheckAndAuditAlarm)); + DetourDetach(&reinterpret_cast(TrueNtPrivilegeCheck), reinterpret_cast(DetourNtPrivilegeCheck)); } }; diff --git a/modules/LibInherit.hpp b/modules/LibInherit.hpp index 14388e3..110b17d 100644 --- a/modules/LibInherit.hpp +++ b/modules/LibInherit.hpp @@ -12,9 +12,9 @@ class LibInherit : public ModuleBase { static BOOL WINAPI DetourCreateProcessA(_In_opt_ LPCSTR lpApplicationName, _Inout_opt_ LPSTR lpCommandLine, - _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, - _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, - _In_opt_ LPCSTR lpCurrentDirectory, _In_ LPSTARTUPINFOA lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation + _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, + _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, + _In_opt_ LPCSTR lpCurrentDirectory, _In_ LPSTARTUPINFOA lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation ) { return DetourCreateProcessWithDllExA(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, @@ -23,9 +23,9 @@ class LibInherit : public ModuleBase { static BOOL WINAPI DetourCreateProcessW(_In_opt_ LPCWSTR lpApplicationName, _Inout_opt_ LPWSTR lpCommandLine, - _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, - _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, - _In_opt_ LPCWSTR lpCurrentDirectory, _In_ LPSTARTUPINFOW lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation + _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes, _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes, + _In_ BOOL bInheritHandles, _In_ DWORD dwCreationFlags, _In_opt_ LPVOID lpEnvironment, + _In_opt_ LPCWSTR lpCurrentDirectory, _In_ LPSTARTUPINFOW lpStartupInfo, _Out_ LPPROCESS_INFORMATION lpProcessInformation ) { return DetourCreateProcessWithDllExW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, diff --git a/modules/PolicyDisable.hpp b/modules/PolicyDisable.hpp index 17a59a0..a507fcf 100644 --- a/modules/PolicyDisable.hpp +++ b/modules/PolicyDisable.hpp @@ -15,8 +15,8 @@ class PolicyDisable : public ModuleBase { static NTSTATUS WINAPI DetourNtQueryValueKey(_In_ HANDLE KeyHandle, - _In_ PUNICODE_STRING ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, - _Out_opt_ PVOID KeyValueInformation, _In_ ULONG Length, _Out_ PULONG ResultLength) { + _In_ PUNICODE_STRING ValueName, _In_ KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + _Out_opt_ PVOID KeyValueInformation, _In_ ULONG Length, _Out_ PULONG ResultLength) { // lookup the size for the key name so we can allocate space for it DWORD iKeyNameSize; if (NtQueryKey(KeyHandle, KeyNameInformation, NULL, 0, &iKeyNameSize) != STATUS_BUFFER_TOO_SMALL) { diff --git a/modules/RemoteLockBreak.hpp b/modules/RemoteLockBreak.hpp index 367edc5..55fbc99 100644 --- a/modules/RemoteLockBreak.hpp +++ b/modules/RemoteLockBreak.hpp @@ -13,8 +13,8 @@ class RemoteLockBreak : public ModuleBase { static NTSTATUS NTAPI DetourNtOpenFile(OUT PHANDLE FileHandle, - IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, - IN ULONG ShareAccess, IN ULONG OpenOptions) { + IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, IN ULONG OpenOptions) { DWORD iStatus = TrueNtOpenFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); @@ -31,9 +31,9 @@ class RemoteLockBreak : public ModuleBase { static NTSTATUS NTAPI DetourNtCreateFile(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, - IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, - IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, - IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) { + IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, + IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) { NTSTATUS iStatus = TrueNtCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);